|
|
|
|
|
|
by mjevans
2594 days ago
|
|
|
The example would be even better if it used the built in functions to correctly escape and cast input types. CREATE FUNCTION public.realplusplus(integer) RETURNS integer LANGUAGE sql SECURITY DEFINER SET search_path = pg_catalog AS 'RETURN EXECUTE format(''SELECT %L + 1'', $1)'; However the search path limitation is still required due to the ability to over-ride basic operators; something that I consider an anti-feature from a security standpoint since it does not LOOK to the casual observer that an overridable function exists. https://www.postgresql.org/docs/9.6/functions-string.html#FU... |
|
|